8 comments

[ 40.2 ms ] story [ 734 ms ] thread
The sad part is that my initial reaction is: "only 57?"
After the first few rolled in I thought it would be quite a bit higher.

However there are thousands of inactive and revoked keys, so it's more accurate to say "I found only 57 that where not yet revoked by their authors".

Very cool use of github actions for ongoing scanning; out of curiosity, why not npm also?
NPM is already scanned by GitHub themselves (both being sister companies of MS)
What's the latency on GitHub's detection / AWS quarantine? Can a hacker watch your repo and use the key first?

(I guess the hacker can also just watch every 5 mins instead of every 30 mins...)

A shallow question, but I am not familiar with aws. how do you allow access to your aws resource from your desktop application? that is, I would have assumed you would need to embed some sort of aws key.
It depends on what you are trying to do.

If you're a developer, needing access to AWS resources - then you install credentials on your machine. Ideally you use some form of short lived credentials, provided by say AWS SSO.

Generally if you're shipping an application, you don't give them credentials to access to your AWS Resources directly.

For instance, perhaps you want to allow someone to download a file from S3 - well you would provide some form of private API that would generate a pre-signed AWS S3 Uri. In that pre-signed Uri, there's an explicit expiry time.

Most other things, you would probably stand up an API to handle interacting with your AWS resources on behalf of a customer.

One instance I saw was someone that built some agent-endpoint software that streamed logs direct to AWS Kinesis. Their desktop application would periodically request AWS Keys from their API which were only valid for some short period of time, and scoped to writing to a specific Kinesis endpoint.